Computer Security - Discussion

profilegiggles.desmoin
Ch15-CISSP.pdf

453

Chap ter 15 Se cu rity As sess ment and Test ing

THE CISSP EXAM TOP ICS COV ERED IN THIS CHAP TER IN CLUDE:

Do main 6: Se cu rity As sess ment and Test ing 6.1. De sign and val i date as sess ment, test, and au dit strate gies

6.1.1 In ter nal

6.1.2 Ex ter nal

6.1.3 Third-party

6.2. Con duct se cu rity con trol test ing

6.2.1 Vul ner a bil ity as sess ment

6.2.2 Pen e tra tion test ing

6.2.3 Log re views

6.2.4 Syn thetic trans ac tions

6.2.5 Code re view and test ing

6.2.6 Mis use case test ing

6.2.7 Test cov er age anal y sis

6.2.8 In ter face test ing

6.3. Col lect se cu rity process data

6.3.1 Ac count man age ment

6.3.2 Man age ment re view and ap proval

6.3.3 Key per for mance and risk in di ca tors

6.3.4 Backup ver i fi ca tion data

6.4. An a lyze test out put and gen er ate re port

6.5. Con duct or fa cil i tate se cu rity au dits

6.5.1 In ter nal

6.5.2 Ex ter nal

6.5.3 Third Party

Through out this book, you’ve learned about many of the dif fer ent con trols that in for ma tion se cu rity pro fes sion als im ple ment to safe guard the con fi den tial ity, in tegrity, and avail abil ity of data. Among these, tech ni cal con trols play an im por tant role pro tect ing servers, net works, and other in for ma tion pro cess ing re sources. Once se cu rity pro fes sion als build and con fig ure these con trols, they must reg u larly test them to en sure that they con tinue to prop erly safe guard in for ma tion.

Se cu rity as sess ment and test ing pro grams per form reg u lar checks to en sure that ad e quate se cu rity con trols are in place and that they ef fec tively per form their as signed func tions. In this chap ter, you’ll learn about many of the as sess ment and test ing con trols used by se cu rity pro fes sion als around the world.

Build ing a Se cu rity As sess ment and Test ing Pro gram The cor ner stone main te nance ac tiv ity for an in for ma tion se cu rity team is their se cu rity as sess ment and

test ing pro gram. This pro gram in cludes tests, as sess ments, and au dits that reg u larly ver ify that an or ga ni za tion has ad e quate se cu rity con trols and that those se cu rity con trols are func tion ing prop erly and ef fec tively safe guard ing in for ma tion as sets.

454

In this sec tion, you will learn about the three ma jor com po nents of a se cu rity as sess ment pro gram:

Se cu rity tests

Se cu rity as sess ments

Se cu rity au dits

Se cu rity Test ing Se cu rity tests ver ify that a con trol is func tion ing prop erly. These tests in clude au to mated scans, tool-

as sisted pen e tra tion tests, and man ual at tempts to un der mine se cu rity. Se cu rity test ing should take place on a reg u lar sched ule, with at ten tion paid to each of the key se cu rity con trols pro tect ing an or ga ni za tion. When sched ul ing se cu rity con trols for re view, in for ma tion se cu rity man agers should con sider the fol low ing fac tors:

Avail abil ity of se cu rity test ing re sources

Crit i cal ity of the sys tems and ap pli ca tions pro tected by the tested con trols

Sen si tiv ity of in for ma tion con tained on tested sys tems and ap pli ca tions

Like li hood of a tech ni cal fail ure of the mech a nism im ple ment ing the con trol

Like li hood of a mis con fig u ra tion of the con trol that would jeop ar dize se cu rity

Risk that the sys tem will come un der at tack

Rate of change of the con trol con fig u ra tion

Other changes in the tech ni cal en vi ron ment that may af fect the con trol per for mance

Dif fi culty and time re quired to per form a con trol test

Im pact of the test on nor mal busi ness op er a tions

Af ter as sess ing each of these fac tors, se cu rity teams de sign and val i date a com pre hen sive as sess ment and test ing strat egy. This strat egy may in clude fre quent au to mated tests sup ple mented by in fre quent man ual tests. For ex am ple, a credit card pro cess ing sys tem may un dergo au to mated vul ner a bil ity scan ning on a nightly ba sis with im me di ate alerts to ad min is tra tors when the scan de tects a new vul ner a bil ity. The au to mated scan re quires no work from ad min is tra tors once it is con fig ured, so it is easy to run quite fre quently. The se cu rity team may wish to com ple ment those au to mated scans with a man ual pen e tra tion test per formed by an ex ter nal con sul tant for a sig nif i cant fee. Those tests may oc cur on an an nual ba sis to min i mize costs and dis rup tion to the busi ness.

Many se cu rity test ing pro grams be gin on a hap haz ard ba sis, with se cu rity pro fes sion als

sim ply point ing their fancy new tools at what ever sys tems they come across first. Ex per i men ta tion with new tools is fine, but se cu rity test ing pro grams should be care fully de signed and in clude rig or ous, rou tine test ing of sys tems us ing a risk-pri or i tized ap proach.

Of course, it’s not suf fi cient to sim ply per form se cu rity tests. Se cu rity pro fes sion als must also care fully re view the re sults of those tests to en sure that each test was suc cess ful. In some cases, these re views con sist of man u ally read ing the test out put and ver i fy ing that the test com pleted suc cess fully. Some tests re quire hu man in ter pre ta tion and must be per formed by trained an a lysts.

Other re views may be au to mated, per formed by se cu rity test ing tools that ver ify the suc cess ful com ple tion of a test, log the re sults, and re main silent un less there is a sig nif i cant find ing. When the sys tem de tects an is sue re quir ing ad min is tra tor at ten tion, it may trig ger an alert, send an email or text mes sage, or au to mat i cally open a trou ble ticket, de pend ing on the sever ity of the alert and the ad min is tra tor’s pref er ence.

Se cu rity As sess ments

Se cu rity as sess ments are com pre hen sive re views of the se cu rity of a sys tem, ap pli ca tion, or other tested en vi ron ment. Dur ing a se cu rity as sess ment, a trained in for ma tion se cu rity pro fes sional per forms a risk as sess ment that iden ti fies vul ner a bil i ties in the tested en vi ron ment that may al low a com pro mise and makes rec om men da tions for re me di a tion, as needed.

Se cu rity as sess ments nor mally in clude the use of se cu rity test ing tools but go be yond au to mated scan ning and man ual pen e tra tion tests. They also in clude a thought ful re view of the threat en vi ron ment, cur rent and fu ture risks, and the value of the tar geted en vi ron ment.

The main work prod uct of a se cu rity as sess ment is nor mally an as sess ment re port ad dressed to man age ment that con tains the re sults of the as sess ment in non tech ni cal lan guage and con cludes with spe cific rec om men da tions for im prov ing the se cu rity of the tested en vi ron ment.

455

As sess ments may be con ducted by an in ter nal team, or they may be out sourced to a third-party as sess ment team with spe cific ex per tise in the ar eas be ing as sessed.

NIST SP 800-53A

The Na tional In sti tute for Stan dards and Tech nol ogy (NIST) of fers a spe cial pub li ca tion that de scribes best prac tices in con duct ing se cu rity and pri vacy as sess ments. NIST Spe cial Pub li ca tion 800- 53A: As sess ing Se cu rity and Pri vacy Con trols in Fed eral In for ma tion Sys tems and Or ga ni za tions is avail able for down load:

http://nvlpubs.nist.gov/nist pubs/Spe cialPub li ca tions/NIST.SP.800-53Ar4.pdf

Un der NIST 800-53A, as sess ments in clude four com po nents.

Spec i fi ca tions are the doc u ments as so ci ated with the sys tem be ing au dited. Spec i fi ca tions gen er ally in clude poli cies, pro ce dures, re quire ments, spec i fi ca tions, and de signs.

Mech a nisms are the con trols used within an in for ma tion sys tem to meet the spec i fi ca tions. Mech a nisms may be based in hard ware, soft ware, or firmware.

Ac tiv i ties are the ac tions car ried out by peo ple within an in for ma tion sys tem. These may in clude per form ing back ups, ex port ing log files, or re view ing ac count his to ries.

In di vid u als are the peo ple who im ple ment spec i fi ca tions, mech a nisms, and ac tiv i ties.

When con duct ing an as sess ment, as ses sors may ex am ine any of the four com po nents listed here. They may also in ter view in di vid u als and per form di rect tests to de ter mine the ef fec tive ness of con trols.

Se cu rity Au dits Se cu rity au dits use many of the same tech niques fol lowed dur ing se cu rity as sess ments but must be

per formed by in de pen dent au di tors. While an or ga ni za tion’s se cu rity staff may rou tinely per form se cu rity tests and as sess ments, this is not the case for au dits. As sess ment and test ing re sults are meant for in ter nal use only and are de signed to eval u ate con trols with an eye to ward find ing po ten tial im prove ments. Au dits, on the other hand, are eval u a tions per formed with the pur pose of demon strat ing the ef fec tive ness of con trols to a third party. The staff who de sign, im ple ment, and mon i tor con trols for an or ga ni za tion have an in her ent con flict of in ter est when eval u at ing the ef fec tive ness of those con trols.

Au di tors pro vide an im par tial, un bi ased view of the state of se cu rity con trols. They write re ports that are quite sim i lar to se cu rity as sess ment re ports, but those re ports are in tended for dif fer ent au di ences that may in clude an or ga ni za tion’s board of di rec tors, gov ern ment reg u la tors, and other third par ties. There are three main types of au dits: in ter nal au dits, ex ter nal au dits, and third-party au dits.

Gov ern ment Au di tors Dis cover Air Traf fic Con trol Se cu rity Vul ner a bil i ties

Fed eral, state, and lo cal gov ern ments also use in ter nal and ex ter nal au di tors to per form se cu rity as sess ments. The U.S. Gov ern ment Ac count abil ity Of fice (GAO) per forms au dits at the re quest of Con gress, and these GAO au dits of ten fo cus on in for ma tion se cu rity risks. In 2015, the GAO re leased an au dit re port ti tled “In for ma tion Se cu rity: FAA Needs to Ad dress Weak nesses in Air Traf fic Con trol Sys tems.”

The con clu sion of this re port was damn ing: “While the Fed eral Avi a tion Ad min is tra tion (FAA) has taken steps to pro tect its air traf fic con trol sys tems from cy ber-based and other threats, sig nif i cant se cu rity con trol weak nesses re main, threat en ing the agency’s abil ity to en sure the safe and un in ter rupted op er a tion of the na tional airspace sys tem (NAS). These in clude weak nesses in con trols in tended to pre vent, limit and de tect unau tho rized ac cess to com puter re sources, such as con trols for pro tect ing sys tem bound aries, iden ti fy ing and au then ti cat ing users, au tho riz ing users to ac cess sys tems, en crypt ing sen si tive data, and au dit ing and mon i tor ing ac tiv ity on FAA’s sys tems.”

The re port went on to make 17 rec om men da tions on how the FAA might im prove its in for ma tion se cu rity con trols to bet ter pro tect the in tegrity and avail abil ity of the na tion’s air traf fic con trol sys tem. The full GAO re port may be found at http://gao.gov/as sets/670/668169.pdf.

In ter nal Au dits

In ter nal au dits are per formed by an or ga ni za tion’s in ter nal au dit staff and are typ i cally in tended for in ter nal au di ences. The in ter nal au dit staff per form ing these au dits nor mally have a re port ing line that is com pletely in de pen dent of the func tions they eval u ate. In many or ga ni za tions, the chief au dit ex ec u tive

456

re ports di rectly to the pres i dent, chief ex ec u tive of fi cer, or sim i lar role. The chief au dit ex ec u tive may also have re port ing re spon si bil ity di rectly to the or ga ni za tion’s gov ern ing board.

Ex ter nal Au dits

Ex ter nal au dits are per formed by an out side au dit ing firm. These au dits have a high de gree of ex ter nal va lid ity be cause the au di tors per form ing the as sess ment the o ret i cally have no con flict of in ter est with the or ga ni za tion it self. There are thou sands of firms who per form ex ter nal au dits, but most peo ple place the high est cred i bil ity with the so-called Big Four au dit firms:

Ernst & Young

De loitte & Touche

Price wa ter house C oop ers

KPMG

Au dits per formed by these firms are gen er ally con sid ered ac cept able by most in vestors and gov ern ing body mem bers.

Third-Party Au dits

Third-party au dits are con ducted by, or on be half of, an other or ga ni za tion. For ex am ple, a reg u la tory body might have the au thor ity to ini ti ate an au dit of a reg u lated firm un der con tract or law. In the case of a third-party au dit, the or ga ni za tion ini ti at ing the au dit gen er ally se lects the au di tors and de signs the scope of the au dit.

Or ga ni za tions that pro vide ser vices to other or ga ni za tions are fre quently asked to par tic i pate in third- party au dits. This can be quite a bur den on the au dited or ga ni za tion if they have a large num ber of clients. The Amer i can In sti tute of Cer ti fied Pub lic Ac coun tants (AICPA) re leased a stan dard de signed to al le vi ate this bur den. The State ment on Stan dards for At tes ta tion En gage ments doc u ment 16 (SSAE 16), ti tled Re port ing on Con trols, pro vides a com mon stan dard to be used by au di tors per form ing as sess ments of ser vice or ga ni za tions with the in tent of al low ing the or ga ni za tion to con duct an ex ter nal as sess ment in stead of mul ti ple third-party as sess ments and then shar ing the re sult ing re port with cus tomers and po ten tial cus tomers.

SSAE 16 en gage ments pro duce two dif fer ent types of re ports.

Type I re ports pro vide a de scrip tion of the con trols pro vided by the au dited or ga ni za tion as well as the au di tor’s opin ion based upon that de scrip tion. Type I au dits cover a sin gle point in time and do not in volve ac tual test ing of the con trols by the au di tor.

Type II re ports cover a min i mum six-month time pe riod and also in clude an opin ion from the au di tor on the ef fec tive ness of those con trols based upon ac tual test ing per formed by the au di tor.

Type II re ports are con sid ered much more re li able than Type I re ports be cause they in clude in de pen dent test ing of con trols. Type I re ports sim ply take the ser vice or ga ni za tion at their word that the con trols are im ple mented as de scribed.

In for ma tion se cu rity pro fes sion als are of ten asked to par tic i pate in in ter nal, ex ter nal, and third-party au dits. They com monly must pro vide in for ma tion about se cu rity con trols to au di tors through in ter views and writ ten doc u men ta tion. Au di tors may also re quest the par tic i pa tion of se cu rity staff mem bers in the ex e cu tion of con trol eval u a tions. Au di tors gen er ally have carte blanche ac cess to all in for ma tion within an or ga ni za tion, and se cu rity staff should com ply with those re quests, con sult ing with man age ment as needed.

When Au dits Go Wrong

The Big Four didn’t come into be ing un til 2002. Up un til that point, the Big Five also in cluded the highly re spected firm Arthur An der sen. An der sen, how ever, col lapsed sud denly af ter they were im pli cated in the col lapse of En ron Cor po ra tion. En ron, an en ergy com pany, sud denly filed for bank ruptcy in 2001 af ter al le ga tions of sys temic ac count ing fraud came to the at ten tion of reg u la tors and the me dia.

Arthur An der sen, then one of the world’s largest au dit ing firms, had per formed En ron’s fi nan cial au dits, ef fec tively sign ing off on their fraud u lent prac tices as le git i mate. The firm was later con victed of ob struc tion of jus tice and, al though the con vic tion was later over turned by the Supreme Court, quickly col lapsed due to the loss of cred i bil ity they suf fered in the wake of the En ron scan dal and other al le ga tions of fraud u lent be hav ior.

457

Au dit ing Stan dards

When con duct ing an au dit or as sess ment, the team per form ing the re view should be clear about the stan dard that they are us ing to as sess the or ga ni za tion. The stan dard pro vides the de scrip tion of con trol ob jec tives that should be met, and then the au dit or as sess ment is de signed to en sure that the or ga ni za tion prop erly im ple mented con trols to meet those ob jec tives.

One com mon frame work for con duct ing au dits and as sess ments is the Con trol Ob jec tives for In for ma tion and re lated Tech nolo gies (CO BIT). CO BIT de scribes the com mon re quire ments that or ga ni za tions should have in place sur round ing their in for ma tion sys tems.

The In ter na tional Or ga ni za tion for Stan dard iza tion (ISO) also pub lishes a set of stan dards re lated to in for ma tion se cu rity. ISO 27001 de scribes a stan dard ap proach for set ting up an in for ma tion se cu rity man age ment sys tem, while ISO 27002 goes into more de tail on the specifics of in for ma tion se cu rity con trols. These in ter na tion ally rec og nized stan dards are widely used within the se cu rity field, and or ga ni za tions may choose to be come of fi cially cer ti fied as com pli ant with ISO 27001.

Per form ing Vul ner a bil ity As sess ments Vul ner a bil ity as sess ments are some of the most im por tant test ing tools in the in for ma tion se cu rity

pro fes sional’s tool kit. Vul ner a bil ity scans and pen e tra tion tests pro vide se cu rity pro fes sion als with a per spec tive on the weak nesses in a sys tem or ap pli ca tion’s tech ni cal con trols.

Just to be clear on ter mi nol ogy, vul ner a bil ity as sess ments as they are de scribed in this

chap ter are ac tu ally se cu rity test ing tools, not se cu rity as sess ment tools. They prob a bly should be called vul ner a bil ity tests for lin guis tic con sis tency, but we’ll stick with the lan guage used by (ISC)2 in the of fi cial CISSP body of knowl edge.

De scrib ing Vul ner a bil i ties

The se cu rity com mu nity de pends upon a com mon set of stan dards to pro vide a com mon lan guage for de scrib ing and eval u at ing vul ner a bil i ties. NIST pro vides the com mu nity with the Se cu rity Con tent Au to ma tion Pro to col (SCAP) to meet this need. SCAP pro vides this com mon frame work for dis cus sion and also fa cil i tates the au to ma tion of in ter ac tions be tween dif fer ent se cu rity sys tems. The com po nents of SCAP in clude the fol low ing:

Com mon Vul ner a bil i ties and Ex po sures (CVE) pro vides a nam ing sys tem for de scrib ing se cu rity vul ner a bil i ties.

Com mon Vul ner a bil ity Scor ing Sys tem (CVSS) pro vides a stan dard ized scor ing sys tem for de scrib ing the sever ity of se cu rity vul ner a bil i ties.

Com mon Con fig u ra tion Enu mer a tion (CCE) pro vides a nam ing sys tem for sys tem con fig u ra tion is sues.

Com mon Plat form Enu mer a tion (CPE) pro vides a nam ing sys tem for op er at ing sys tems, ap pli ca tions, and de vices.

Ex ten si ble Con fig u ra tion Check list De scrip tion For mat (XC CDF) pro vides a lan guage for spec i fy ing se cu rity check lists.

Open Vul ner a bil ity and As sess ment Lan guage (OVAL) pro vides a lan guage for de scrib ing se cu rity test ing pro ce dures.

Vul ner a bil ity Scans Vul ner a bil ity scans au to mat i cally probe sys tems, ap pli ca tions, and net works, look ing for weak nesses that

may be ex ploited by an at tacker. The scan ning tools used in these tests pro vide quick, point-and-click tests that per form oth er wise te dious tasks with out re quir ing man ual in ter ven tion. Most tools al low sched uled scan ning on a re cur ring ba sis and pro vide re ports that show dif fer ences be tween scans per formed on dif fer ent days, of fer ing ad min is tra tors a view into changes in their se cu rity risk en vi ron ment.

There are four main cat e gories of vul ner a bil ity scans: net work dis cov ery scans, net work vul ner a bil ity scans, web ap pli ca tion vul ner a bil ity scans, and data base vul ner a bil ity scans. A wide va ri ety of tools per form each of these types of scans.

458

Re mem ber that in for ma tion se cu rity pro fes sion als aren’t the only ones with ac cess to

vul ner a bil ity test ing tools. At tack ers have ac cess to the same tools used by the “good guys” and of ten run vul ner a bil ity tests against sys tems, ap pli ca tions, and net works prior to an in tru sion at tempt. These scans help at tack ers zero in on vul ner a ble sys tems and fo cus their at tacks on sys tems where they will have the great est like li hood of suc cess.

Net work Dis cov ery Scan ning

Net work dis cov ery scan ning uses a va ri ety of tech niques to scan a range of IP ad dresses, search ing for sys tems with open net work ports. Net work dis cov ery scan ners do not ac tu ally probe sys tems for vul ner a bil i ties but pro vide a re port show ing the sys tems de tected on a net work and the list of ports that are ex posed through the net work and server fire walls that lie on the net work path be tween the scan ner and the scanned sys tem.

Net work dis cov ery scan ners use many dif fer ent tech niques to iden tify open ports on re mote sys tems. Some of the more com mon tech niques are as fol lows:

TCP SYN Scan ning Sends a sin gle packet to each scanned port with the SYN flag set. This in di cates a re quest to open a new con nec tion. If the scan ner re ceives a re sponse that has the SYN and ACK flags set, this in di cates that the sys tem is mov ing to the sec ond phase in the three-way TCP hand shake and that the port is open. TCP SYN scan ning is also known as “half-open” scan ning.

TCP Con nect Scan ning Opens a full con nec tion to the re mote sys tem on the spec i fied port. This scan type is used when the user run ning the scan does not have the nec es sary per mis sions to run a half-open scan. Most other scan types re quire the abil ity to send raw pack ets, and a user may be re stricted by the op er at ing sys tem from send ing hand crafted pack ets.

TCP ACK Scan ning Sends a packet with the ACK flag set, in di cat ing that it is part of an open con nec tion. This type of scan may be done in an at tempt to de ter mine the rules en forced by a fire wall and the fire wall method ol ogy.

Xmas Scan ning Sends a packet with the FIN, PSH, and URG flags set. A packet with so many flags set is said to be “lit up like a Christ mas tree,” lead ing to the scan’s name.

If you’ve for got ten how the three-way TCP hand shake func tions, you’ll find com plete

cov er age of it in Chap ter 11, “Se cure Net work Ar chi tec ture and Se cur ing Net work Com po nents.”

The most com mon tool used for net work dis cov ery scan ning is an open-source tool called nmap. Orig i nally re leased in 1997, nmap is re mark ably still main tained and in gen eral use to day. It re mains one of the most pop u lar net work se cu rity tools, and al most ev ery se cu rity pro fes sional ei ther uses nmap reg u larly or has used it at some point in their ca reer. You can down load a free copy of nmap or learn more about the tool at http://nmap.org.

When nmap scans a sys tem, it iden ti fies the cur rent state of each net work port on the sys tem. For ports where nmap de tects a re sult, it pro vides the cur rent sta tus of that port:

Open The port is open on the re mote sys tem and there is an ap pli ca tion that is ac tively ac cept ing con nec tions on that port.

Closed The port is ac ces si ble on the re mote sys tem, mean ing that the fire wall is al low ing ac cess, but there is no ap pli ca tion ac cept ing con nec tions on that port.

Fil tered Nmap is un able to de ter mine whether a port is open or closed be cause a fire wall is in ter fer ing with the con nec tion at tempt.

Fig ure 15.1 shows an ex am ple of nmap at work. The user en tered the fol low ing com mand at a Linux prompt:

nmap –vv 52.4.85.159

459

FIG URE 15.1 Nmap scan of a web server run from a Linux sys tem

The nmap soft ware then be gan a port scan of the sys tem with IP ad dress 52.4.85.159. The –vv flag spec i fied with the com mand sim ply tells nmap to use ver bose mode, re port ing de tailed out put of its re sults. The re sults of the scan, ap pear ing to ward the bot tom of Fig ure 15.1, in di cate that nmap found three ac tive ports on the sys tem: 22, 80, and 443. Ports 22 and 80 are open, in di cat ing that the sys tem is ac tively ac cept ing con nec tion re quests on those ports. Port 443 is closed, mean ing that the fire wall con tains rules al low ing con nec tion at tempts on that port but the sys tem is not run ning an ap pli ca tion con fig ured to ac cept those con nec tions.

To in ter pret these re sults, you must know the use of com mon net work ports, as dis cussed in Chap ter 12, “Se cure Com mu ni ca tions and Net work At tacks.” Let’s walk through the re sults of this nmap scan:

The first line of the port list ing, 22/tcp open ssh, in di cates that the sys tem ac cepts con nec tions on TCP port 22. The Se cure Shell (SSH) ser vice uses this port to al low ad min is tra tive con nec tions to servers.

The sec ond line of the port list ing, 80/tcp open http, in di cates that the sys tem is ac cept ing con nec tion re quests on port 80, which is used by Hy per text Trans fer Pro to col (HTTP) to de liver web pages.

The fi nal line of the port list ing, 443/tcp closed https, in di cates that a fire wall rule ex ists to al low ac cess to port 443 but no ser vice is lis ten ing on that port. Port 443 is used by the Hy per text Trans fer Pro to col Se cure (HTTPS) pro to col to ac cept en crypted web server con nec tions.

What can we learn from these re sults? The sys tem be ing scanned is prob a bly a web server that is openly ac cept ing con nec tion re quests from the scanned sys tem. The fire walls be tween the scan ner and this sys tem are con fig ured to al low both se cure (port 443) and in se cure (port 80) con nec tions, but the server is not set up to ac tu ally per form en crypted trans ac tions. The server also has an ad min is tra tive port open that may al low com mand-line con nec tions.

Port scan ners, net work vul ner a bil ity scan ners, and web vul ner a bil ity scan ners use a

tech nique called ban ner grab bing to iden tify the vari ant and ver sion of a ser vice run ning on a sys tem. This tech nique opens a con nec tion to the ser vice and reads the de tails pro vided on the wel come screen, or ban ner, to as sist with ver sion fin ger print ing.

An at tacker read ing these re sults would prob a bly make a few ob ser va tions about the sys tem that would lead to some fur ther prob ing:

Point ing a web browser at this server would likely give a good idea of what the server does and who op er ates it. Sim ply typ ing http://52.4.85.159 in the ad dress bar of the browser may re veal use ful in for ma tion. Fig ure 15.2 shows the re sult of per form ing this: the site is run ning a de fault in stal la tion of the Apache web server.

Con nec tions to this server are un en crypted. Eaves drop ping on those con nec tions, if pos si ble, may re veal sen si tive in for ma tion.

The open SSH port is an in ter est ing find ing. An at tacker may try to con duct a brute-force pass word at tack against ad min is tra tive ac counts on that port to gain ac cess to the sys tem.

460

FIG URE 15.2 De fault Apache server page run ning on the server scanned in Fig ure 15.1

In this ex am ple, we used nmap to scan a sin gle sys tem, but the tool also al lows scan ning en tire net works for sys tems with open ports. The scan shown in Fig ure 15.3 scans across the 192.168.1.0/24 net work, in clud ing all ad dresses in the range 192.168.1.0–192.168.1.255.

The fact that you can run a net work dis cov ery scan doesn’t mean that you may or should

run that scan. You should only scan net works where you have ex plicit per mis sion from the net work owner to per form se cu rity scan ning. Some ju ris dic tions con sider unau tho rized scan ning a vi o la tion of com puter abuse laws and may pros e cute in di vid u als for an act as sim ple as run ning nmap on a cof fee shop wire less net work.

FIG URE 15.3 Nmap scan of a large net work run from a Mac sys tem us ing the Ter mi nal util ity

Net work Vul ner a bil ity Scan ning

461

Net work vul ner a bil ity scans go deeper than dis cov ery scans. They don’t stop with de tect ing open ports but con tinue on to probe a tar geted sys tem or net work for the pres ence of known vul ner a bil i ties. These tools con tain data bases of thou sands of known vul ner a bil i ties, along with tests they can per form to iden tify whether a sys tem is sus cep ti ble to each vul ner a bil ity in the sys tem’s data base.

When the scan ner tests a sys tem for vul ner a bil i ties, it uses the tests in its data base to de ter mine whether a sys tem may con tain the vul ner a bil ity. In some cases, the scan ner may not have enough in for ma tion to con clu sively de ter mine that a vul ner a bil ity ex ists and it re ports a vul ner a bil ity when there re ally is no prob lem. This sit u a tion is known as a false pos i tive re port and is some times seen as a nui sance to sys tem ad min is tra tors. Far more dan ger ous is when the vul ner a bil ity scan ner misses a vul ner a bil ity and fails to alert the ad min is tra tor to the pres ence of a dan ger ous sit u a tion. This er ror is known as a false neg a tive re port.

Tra di tional vul ner a bil ity scans are un able to de tect zero-day vul ner a bil i ties that have not yet

been iden ti fied by the scan ner ven dor. You’ll learn more about zero-day vul ner a bil i ties in Chap ter 17, “Pre vent ing and Re spond ing to In ci dents.”

By de fault, net work vul ner a bil ity scan ners run unau then ti cated scans. They test the tar get sys tems with out hav ing pass words or other spe cial in for ma tion that would grant the scan ner spe cial priv i leges. This al lows the scan to run from the per spec tive of an at tacker but also lim its the abil ity of the scan ner to fully eval u ate pos si ble vul ner a bil i ties. One way to im prove the ac cu racy of the scan ning and re duce false pos i tive and false neg a tive re ports is to per form au then ti cated scans of sys tems. In this ap proach, the scan ner has read-only ac cess to the servers be ing scanned and can use this ac cess to read con fig u ra tion in for ma tion from the tar get sys tem and use that in for ma tion when an a lyz ing vul ner a bil ity test ing re sults.

Fig ure 15.4 shows the re sults of a net work vul ner a bil ity scan per formed us ing the Nes sus vul ner a bil ity scan ner against the same sys tem sub jected to a net work dis cov ery scan ear lier in this chap ter.

FIG URE 15.4 Net work vul ner a bil ity scan of the same web server that was port scanned in Fig ure 15.1

The scan re sults shown in Fig ure 15.4 are very clean and rep re sent a well-main tained sys tem. There are no se ri ous vul ner a bil i ties and only two low-risk vul ner a bil i ties re lated to the SSH ser vice run ning on the scanned sys tem. While the sys tem ad min is tra tor may wish to tweak the SSH cryp tog ra phy set tings to re move those low-risk vul ner a bil i ties, this is a very good re port for the ad min is tra tor and pro vides con fi dence that the sys tem is well man aged.

462

Learn ing TCP Ports

In ter pret ing port scan re sults re quires knowl edge of some com mon TCP ports. Here are a few that you should com mit to mem ory when pre par ing for the CISSP exam:

FTP 20/21 SSH 22 Tel net 23 SMTP 25 DNS 53 HTTP 80 POP3 110 NTP 123 Win dows File Shar ing 135, 137–139, 445 HTTPS 443 lpr 515 Mi cro soft SQL Server 1433/1434 Or a cle 1521 H.323 1720 PPTP 1723 RDP 3389 HP Jet Di rect print ing 9100

Nes sus is a com monly used vul ner a bil ity scan ner, but there are also many oth ers avail able. Other pop u lar com mer cial scan ners in clude Qualys’s QualysGuard and Rapid7’s NeX pose. The open source Open VAS scan ner also has a grow ing com mu nity of users.

Or ga ni za tions may also con duct spe cial ized vul ner a bil ity as sess ments of wire less net works. Air crack is a tool com monly used to per form these as sess ments by test ing the en cryp tion and other se cu rity pa ram e ters of wire less net works. It may be used in con junc tion with pas sive mon i tor ing tech niques that may iden tify rogue de vices on the net work.

Web Vul ner a bil ity Scan ning

Web ap pli ca tions pose sig nif i cant risk to en ter prise se cu rity. By their na ture, the servers run ning many web ap pli ca tions must ex pose ser vices to in ter net users. Fire walls and other se cu rity de vices typ i cally con tain rules al low ing web traf fic to pass through to web servers un fet tered. The ap pli ca tions run ning on web servers are com plex and of ten have priv i leged ac cess to un der ly ing data bases. At tack ers of ten try to ex ploit these cir cum stances us ing Struc tured Query Lan guage (SQL) in jec tion and other at tacks that tar get flaws in the se cu rity de sign of web ap pli ca tions.

You’ll find com plete cov er age of SQL in jec tion at tacks, cross-site script ing (XSS), cross-site

re quest forgery (XSRF), and other web ap pli ca tion vul ner a bil i ties in Chap ter 21, “Ma li cious Code and Ap pli ca tion At tacks.”

Web vul ner a bil ity scan ners are spe cial-pur pose tools that scour web ap pli ca tions for known vul ner a bil i ties. They play an im por tant role in any se cu rity test ing pro gram be cause they may dis cover flaws not vis i ble to net work vul ner a bil ity scan ners. When an ad min is tra tor runs a web ap pli ca tion scan, the tool probes the web ap pli ca tion us ing au to mated tech niques that ma nip u late in puts and other pa ram e ters to iden tify web vul ner a bil i ties. The tool then pro vides a re port of its find ings, of ten in clud ing sug gested vul ner a bil ity re me di a tion tech niques. Fig ure 15.5 shows an ex am ple of a web vul ner a bil ity scan per formed us ing the Nes sus vul ner a bil ity scan ning tool. This scan ran against the web ap pli ca tion run ning on the same server as the net work dis cov ery scan in Fig ure 15.1 and the net work vul ner a bil ity scan in Fig ure 15.4. As you read through the scan re port in Fig ure 15.5, no tice that it de tected vul ner a bil i ties that did not show up in the net work vul ner a bil ity scan.

463

FIG URE 15.5 Web ap pli ca tion vul ner a bil ity scan of the same web server that was port scanned in Fig ure 15.1 and net work vul ner a bil ity scanned in Fig ure 15.2.

Do net work vul ner a bil ity scans and web vul ner a bil ity scans sound sim i lar? That’s be cause

they are! Both probe ser vices run ning on a server for known vul ner a bil i ties. The dif fer ence is that net work vul ner a bil ity scans gen er ally don’t dive deep into the struc ture of web ap pli ca tions whereas web ap pli ca tion scans don’t look at ser vices other than those sup port ing web ser vices. Many net work vul ner a bil ity scan ners do per form ba sic web vul ner a bil ity scan ning tasks, but deep-dive web vul ner a bil ity scans re quire spe cial ized, ded i cated web vul ner a bil ity scan ning tools.

You may have no ticed that the Nes sus vul ner a bil ity scan ner per formed both the net work vul ner a bil ity scan shown in Fig ure 15.4 and the web vul ner a bil ity scan shown in Fig ure 15.5. Nes sus is an ex am ple of a hy brid tool that can per form both types of scan.

As with most tools, the ca pa bil i ties for var i ous vul ner a bil ity scan ners vary quite a bit. Be fore us ing a scan ner, you should re search it to make sure it meets your se cu rity con trol ob jec tives.

Web vul ner a bil ity scans are an im por tant com po nent of an or ga ni za tion’s se cu rity as sess ment and test ing pro gram. It’s a good prac tice to run scans in the fol low ing cir cum stances:

Scan all ap pli ca tions when you be gin per form ing web vul ner a bil ity scan ning for the first time. This will de tect is sues with legacy ap pli ca tions.

Scan any new ap pli ca tion be fore mov ing it into a pro duc tion en vi ron ment for the first time.

Scan any mod i fied ap pli ca tion be fore the code changes move into pro duc tion.

Scan all ap pli ca tions on a re cur ring ba sis. Lim ited re sources may re quire sched ul ing these scans based on the pri or ity of the ap pli ca tion. For ex am ple, you may wish to scan web ap pli ca tions that in ter act with sen si tive in for ma tion more of ten than those that do not.

In some cases, web ap pli ca tion scan ning may be re quired to meet com pli ance re quire ments. For ex am ple, the Pay ment Card In dus try Data Se cu rity Stan dard (PCI DSS), dis cussed in Chap ter 4, “Laws, Reg u la tions, and Com pli ance,” re quires that or ga ni za tions ei ther per form web ap pli ca tion vul ner a bil ity scans at least an nu ally or in stall ded i cated web ap pli ca tion fire walls to add ad di tional lay ers of pro tec tion against web vul ner a bil i ties.

In ad di tion to Nes sus, other tools com monly used for web ap pli ca tion vul ner a bil ity scan ning in clude the com mer cial Acunetix scan ner, the open-source Nikto and Wapiti scan ners, and the Burp Suite proxy tool.

Data base Vul ner a bil ity Scan ning

Data bases con tain some of an or ga ni za tion’s most sen si tive in for ma tion and are lu cra tive tar gets for at tack ers. While most data bases are pro tected from di rect ex ter nal ac cess by fire walls, web ap pli ca tions of fer a por tal into those data bases, and at tack ers may lever age data base-backed web ap pli ca tions to di rect at tacks against data bases, in clud ing SQL in jec tion at tacks.

464

SQL in jec tion at tacks and other web ap pli ca tions vul ner a bil i ties are dis cussed in more

de tail in Chap ter 21, “Ma li cious Code and Ap pli ca tion At tacks.” Data base se cu rity is sues are cov ered in Chap ter 9, “Se cu rity Vul ner a bil i ties, Threats, and Coun ter mea sures.”

Data base vul ner a bil ity scan ners are tools that al low se cu rity pro fes sion als to scan both data bases and web ap pli ca tions for vul ner a bil i ties that may af fect data base se cu rity. sqlmap is a com monly used open-source data base vul ner a bil ity scan ner that al lows se cu rity ad min is tra tors to probe web ap pli ca tions for data base vul ner a bil i ties. Fig ure 15.6 shows an ex am ple of sqlmap scan ning a web ap pli ca tion.

FIG URE 15.6 Scan ning a data base-backed ap pli ca tion with sqlmap

Vul ner a bil ity Man age ment Work flow

Or ga ni za tions that adopt a vul ner a bil ity man age ment sys tem should also de velop a work flow ap proach to man ag ing vul ner a bil i ties. The ba sic steps in this work flow should in clude the fol low ing:

1. De tec tion: The ini tial iden ti fi ca tion of a vul ner a bil ity nor mally takes place as the re sult of a vul ner a bil ity scan.

2. Val i da tion: Once a scan ner de tects a vul ner a bil ity, ad min is tra tors should con firm the vul ner a bil ity to de ter mine that it is not a false pos i tive re port.

3. Re me di a tion: Val i dated vul ner a bil i ties should then be re me di ated. This may in clude ap ply ing a ven dor- sup plied se cu rity patch, mod i fy ing a de vice con fig u ra tion, im ple ment ing a work around to avoid the vul ner a bil ity, or in stalling a web ap pli ca tion fire wall or other con trol that pre vents the ex ploita tion of the vul ner a bil ity.

The goal of a work flow ap proach is to en sure that vul ner a bil i ties are de tected and re solved in an or derly fash ion. The work flow should also in clude steps that pri or i tize vul ner a bil ity re me di a tion based upon the sever ity of the vul ner a bil ity, the like li hood of ex ploita tion, and the dif fi culty of re me di a tion.

Pen e tra tion Test ing

The pen e tra tion test goes be yond vul ner a bil ity test ing tech niques be cause it ac tu ally at tempts to ex ploit sys tems. Vul ner a bil ity scans merely probe for the pres ence of a vul ner a bil ity and do not nor mally take of fen sive ac tion against the tar geted sys tem. (That said, some vul ner a bil ity scan ning tech niques may dis rupt a sys tem, al though these op tions are usu ally dis abled by de fault.) Se cu rity pro fes sion als per form ing pen e tra tion tests, on the other hand, try to de feat se cu rity con trols and break into a tar geted sys tem or ap pli ca tion to demon strate the flaw.

Pen e tra tion tests re quire fo cused at ten tion from trained se cu rity pro fes sion als, to a much greater ex tent than vul ner a bil ity scans. When per form ing a pen e tra tion test, the se cu rity pro fes sional typ i cally tar gets a sin gle sys tem or set of sys tems and uses many dif fer ent tech niques to gain ac cess. The process nor mally con sists of the fol low ing phases, il lus trated in Fig ure 15.7

Plan ning in cludes agree ment upon the scope of the test and the rules of en gage ment. This is an ex tremely im por tant phase be cause it en sures that both the test ing team and man age ment are in agree ment about the na ture of the test and that the test is ex plic itly au tho rized.

465

In for ma tion gath er ing and dis cov ery uses man ual and au to mated tools to col lect in for ma tion about the tar get en vi ron ment. This in cludes per form ing ba sic re con nais sance to de ter mine sys tem func tion (such as vis it ing web sites hosted on the sys tem) and con duct ing net work dis cov ery scans to iden tify open ports.

Vul ner a bil ity scan ning probes for sys tem weak nesses us ing net work vul ner a bil ity scans, web vul ner a bil ity scans, and data base vul ner a bil ity scans.

Ex ploita tion seeks to use man ual and au to mated ex ploit tools to at tempt to de feat sys tem se cu rity.

Re port ing sum ma rizes the re sults of the pen e tra tion test ing and makes rec om men da tions for im prove ments to sys tem se cu rity.

Pen e tra tion testers com monly use a tool called Metas ploit to au to mat i cally ex e cute ex ploits against tar geted sys tems. Metas ploit, shown in Fig ure 15.8, uses a script ing lan guage to al low the au to matic ex e cu tion of com mon at tacks, sav ing testers (and hack ers!) quite a bit of time by elim i nat ing many of the te dious, rou tine steps in volved in ex e cut ing an at tack.

FIG URE 15.7 Pen e tra tion test ing process

FIG URE 15.8 The Metas ploit au to mated sys tem ex ploita tion tool al lows at tack ers to quickly ex e cute com mon at tacks against tar get sys tems.

466

Pen e tra tion testers may be com pany em ploy ees who per form these tests as part of their du ties or ex ter nal con sul tants hired to per form pen e tra tion tests. The tests are nor mally cat e go rized into three groups:

White Box Pen e tra tion Test Pro vides the at tack ers with de tailed in for ma tion about the sys tems they tar get. This by passes many of the re con nais sance steps that nor mally pre cede at tacks, short en ing the time of the at tack and in creas ing the like li hood that it will find se cu rity flaws.

Gray Box Pen e tra tion Test Also known as par tial knowl edge tests, these are some times cho sen to bal ance the ad van tages and dis ad van tages of white and black box pen e tra tion tests. This is par tic u larly com mon when black box re sults are de sired but costs or time con straints mean that some knowl edge is needed to com plete the test ing.

Black Box Pen e tra tion Test Does not pro vide at tack ers with any in for ma tion prior to the at tack. This sim u lates an ex ter nal at tacker try ing to gain ac cess to in for ma tion about the busi ness and tech ni cal en vi ron ment be fore en gag ing in an at tack.

Or ga ni za tions per form ing pen e tra tion test ing should be care ful to en sure that they un der stand the haz ards of the test ing it self. Pen e tra tion tests seek to ex ploit vul ner a bil i ties and con se quently may dis rupt sys tem ac cess or cor rupt data stored in sys tems. This is one of the ma jor rea sons that it is im por tant to clearly out line the rules of en gage ment dur ing the plan ning phase of the test as well as have com plete au tho riza tion from a se nior man age ment level prior to start ing any test ing.

Pen e tra tion tests are time-con sum ing and re quire spe cial ized re sources, but they play an im por tant role in the on go ing op er a tion of a sound in for ma tion se cu rity test ing pro gram.

There are many in dus try-stan dard pen e tra tion test ing method olo gies that make a good

start ing point when de sign ing your own pro gram. Con sider us ing the OWASP Test ing Guide, OS STMM, NIST 800-115, Fe dRAMP Pen e tra tion Test Guid ance, or PCI DSS In for ma tion Sup ple ment on Pen e tra tion Test ing as ref er ences.

Test ing Your Soft ware Soft ware is a crit i cal com po nent in sys tem se cu rity. Think about the fol low ing char ac ter is tics com mon to

many ap pli ca tions in use through out the mod ern en ter prise:

Soft ware ap pli ca tions of ten have priv i leged ac cess to the op er at ing sys tem, hard ware, and other re sources.

Soft ware ap pli ca tions rou tinely han dle sen si tive in for ma tion, in clud ing credit card num bers, so cial se cu rity num bers, and pro pri etary busi ness in for ma tion.

Many soft ware ap pli ca tions rely on data bases that also con tain sen si tive in for ma tion.

Soft ware is the heart of the mod ern en ter prise and per forms busi ness-crit i cal func tions. Soft ware fail ures can dis rupt busi nesses with very se ri ous con se quences.

Those are just a few of the many rea sons that care ful test ing of soft ware is es sen tial to the con fi den tial ity, in tegrity, and avail abil ity re quire ments of ev ery mod ern or ga ni za tion. In this sec tion, you’ll learn about the many types of soft ware test ing that you may in te grate into your or ga ni za tion’s soft ware de vel op ment life cy cle.

This chap ter pro vides cov er age of soft ware test ing top ics. You’ll find deeper cov er age of

the soft ware de vel op ment life cy cle (SDLC) and soft ware se cu rity is sues in Chap ter 20, “Soft ware De vel op ment Se cu rity.”

Code Re view and Test ing

One of the most crit i cal com po nents of a soft ware test ing pro gram is con duct ing code re view and test ing. These pro ce dures pro vide third-party re views of the work per formed by de vel op ers be fore mov ing code into a pro duc tion en vi ron ment. Code re views and tests may dis cover se cu rity, per for mance, or re li a bil ity flaws in ap pli ca tions be fore they go live and neg a tively im pact busi ness op er a tions.

Code Re view

Code re view is the foun da tion of soft ware as sess ment pro grams. Dur ing a code re view, also known as a “peer re view,” de vel op ers other than the one who wrote the code re view it for de fects. Code re views may re sult in ap proval of an ap pli ca tion’s move into a pro duc tion en vi ron ment, or they may send the code back to the orig i nal de vel oper with rec om men da tions for re work of is sues de tected dur ing the re view.

467

Code re view takes many dif fer ent forms and varies in for mal ity from or ga ni za tion to or ga ni za tion. The most for mal code re view pro cesses, known as Fa gan in spec tions, fol low a rig or ous re view and test ing process with six steps:

1. Plan ning

2. Over view

3. Prepa ra tion

4. In spec tion

5. Re work

6. Fol low-up

An over view of the Fa gan in spec tion ap pears in Fig ure 15.9. Each of these steps has well-de fined en try and exit cri te ria that must be met be fore the process may for mally tran si tion from one stage to the next.

The Fa gan in spec tion level of for mal ity is nor mally found only in highly re stric tive en vi ron ments where code flaws may have cat a strophic im pact. Most or ga ni za tions use less rig or ous pro cesses us ing code peer re view mea sures that in clude the fol low ing:

De vel op ers walk ing through their code in a meet ing with one or more other team mem bers

A se nior de vel oper per form ing man ual code re view and sign ing off on all code be fore mov ing to pro duc tion

Use of au to mated re view tools to de tect com mon ap pli ca tion flaws be fore mov ing to pro duc tion

FIG URE 15.9 Fa gan in spec tions fol low a rigid for mal process, with de fined en try and exit cri te ria that must be met be fore tran si tion ing be tween stages.

Each or ga ni za tion should adopt a code re view process that suits its busi ness re quire ments and soft ware de vel op ment cul ture.

Static Test ing

Static test ing eval u ates the se cu rity of soft ware with out run ning it by an a lyz ing ei ther the source code or the com piled ap pli ca tion. Static anal y sis usu ally in volves the use of au to mated tools de signed to de tect com mon soft ware flaws, such as buf fer over flows. In ma ture de vel op ment en vi ron ments, ap pli ca tion de vel op ers are given ac cess to static anal y sis tools and use them through out the de sign, build, and test process.

Dy namic Test ing

468

Dy namic test ing eval u ates the se cu rity of soft ware in a run time en vi ron ment and is of ten the only op tion for or ga ni za tions de ploy ing ap pli ca tions writ ten by some one else. In those cases, testers of ten do not have ac cess to the un der ly ing source code. One com mon ex am ple of dy namic soft ware test ing is the use of web ap pli ca tion scan ning tools to de tect the pres ence of cross-site script ing, SQL in jec tion, or other flaws in web ap pli ca tions. Dy namic tests on a pro duc tion en vi ron ment should al ways be care fully co or di nated to avoid an un in tended in ter rup tion of ser vice.

Dy namic test ing may in clude the use of syn thetic trans ac tions to ver ify sys tem per for mance. These are scripted trans ac tions with known ex pected re sults. The testers run the syn thetic trans ac tions against the tested code and then com pare the out put of the trans ac tions to the ex pected state. Any de vi a tions be tween the ac tual and ex pected re sults rep re sent pos si ble flaws in the code and must be fur ther in ves ti gated.

Fuzz Test ing

Fuzz test ing is a spe cial ized dy namic test ing tech nique that pro vides many dif fer ent types of in put to soft ware to stress its lim its and find pre vi ously un de tected flaws. Fuzz test ing soft ware sup plies in valid in put to the soft ware, ei ther ran domly gen er ated or spe cially crafted to trig ger known soft ware vul ner a bil i ties. The fuzz tester then mon i tors the per for mance of the ap pli ca tion, watch ing for soft ware crashes, buf fer over flows, or other un de sir able and/or un pre dictable out comes.

There are two main cat e gories of fuzz test ing:

Mu ta tion (Dumb) Fuzzing Takes pre vi ous in put val ues from ac tual op er a tion of the soft ware and ma nip u lates (or mu tates) it to cre ate fuzzed in put. It might al ter the char ac ters of the con tent, ap pend strings to the end of the con tent, or per form other data ma nip u la tion tech niques.

Gen er a tional (In tel li gent) Fuzzing De vel ops data mod els and cre ates new fuzzed in put based on an un der stand ing of the types of data used by the pro gram.

The zzuf tool au to mates the process of mu ta tion fuzzing by ma nip u lat ing in put ac cord ing to user spec i fi ca tions. For ex am ple, Fig ure 15.10 shows a file con tain ing a se ries of 1s.

FIG URE 15.10 Pre fuzzing in put file con tain ing a se ries of 1s

Fig ure 15.11 shows the zzuf tool ap plied to that in put. The re sult ing fuzzed text is al most iden ti cal to the orig i nal text. It still con tains mostly 1s, but it now has sev eral changes made to the text that might con fuse a pro gram ex pect ing the orig i nal in put. This process of slightly ma nip u lat ing the in put is known as bit flip ping.

469

FIG URE 15.11 The in put file from Fig ure 15.10 af ter be ing run through the zzuf mu ta tion fuzzing tool

Fuzz test ing is an im por tant tool, but it does have lim i ta tions. Fuzz test ing typ i cally doesn’t re sult in full cov er age of the code and is com monly lim ited to de tect ing sim ple vul ner a bil i ties that do not re quire com plex ma nip u la tion of busi ness logic. For this rea son, fuzz test ing should be con sid ered only one tool in a suite of tests per formed, and it is use ful to con duct test cov er age anal y sis (dis cussed later in this chap ter) to de ter mine the full scope of the test.

In ter face Test ing

In ter face test ing is an im por tant part of the de vel op ment of com plex soft ware sys tems. In many cases, mul ti ple teams of de vel op ers work on dif fer ent parts of a com plex ap pli ca tion that must func tion to gether to meet busi ness ob jec tives. The hand offs be tween these sep a rately de vel oped mod ules use well-de fined in ter faces so that the teams may work in de pen dently. In ter face test ing as sesses the per for mance of mod ules against the in ter face spec i fi ca tions to en sure that they will work to gether prop erly when all of the de vel op ment ef forts are com plete.

Three types of in ter faces should be tested dur ing the soft ware test ing process:

Ap pli ca tion Pro gram ming In ter faces (APIs) Of fer a stan dard ized way for code mod ules to in ter act and may be ex posed to the out side world through web ser vices. De vel op ers must test APIs to en sure that they en force all se cu rity re quire ments.

User In ter faces (UIs) Ex am ples in clude graphic user in ter faces (GUIs) and com mand-line in ter faces. UIs pro vide end users with the abil ity to in ter act with the soft ware. In ter face tests should in clude re views of all user in ter faces to ver ify that they func tion prop erly.

Phys i cal In ter faces Ex ist in some ap pli ca tions that ma nip u late ma chin ery, logic con trollers, or other ob jects in the phys i cal world. Soft ware testers should pay care ful at ten tion to phys i cal in ter faces be cause of the po ten tial con se quences if they fail.

In ter faces pro vide im por tant mech a nisms for the planned or fu ture in ter con nec tion of com plex sys tems. The web 2.0 world de pends on the avail abil ity of these in ter faces to fa cil i tate in ter ac tions be tween dis parate soft ware pack ages. How ever, de vel op ers must be care ful that the flex i bil ity pro vided by in ter faces does not in tro duce ad di tional se cu rity risk. In ter face test ing pro vides an added de gree of as sur ance that in ter faces meet the or ga ni za tion’s se cu rity re quire ments.

Mis use Case Test ing In some ap pli ca tions, there are clear ex am ples of ways that soft ware users might at tempt to mis use the

ap pli ca tion. For ex am ple, users of bank ing soft ware might try to ma nip u late in put strings to gain ac cess to an other user’s ac count. They might also try to with draw funds from an ac count that is al ready over drawn. Soft ware testers use a process known as mis use case test ing or abuse case test ing to eval u ate the vul ner a bil ity of their soft ware to these known risks.

In mis use case test ing, testers first enu mer ate the known mis use cases. They then at tempt to ex ploit those use cases with man ual and/or au to mated at tack tech niques.

Test Cov er age Anal y sis

470

While test ing is an im por tant part of any soft ware de vel op ment process, it is un for tu nately im pos si ble to com pletely test any piece of soft ware. There are sim ply too many ways that soft ware might mal func tion or un dergo at tack. Soft ware test ing pro fes sion als of ten con duct a test cov er age anal y sis to es ti mate the de gree of test ing con ducted against the new soft ware. The test cov er age is com puted us ing the fol low ing for mula:

Of course, this is a highly sub jec tive cal cu la tion. Ac cu rately com put ing test cov er age re quires enu mer at ing the pos si ble use cases, which is an ex cep tion ally dif fi cult task. There fore, any one us ing test cov er age cal cu la tions should take care to un der stand the process used to de velop the in put val ues when in ter pret ing the re sults.

The test cov er age anal y sis for mula may be adapted to use many dif fer ent cri te ria. Here are five com mon cri te ria:

Branch cov er age: Has ev ery if state ment been ex e cuted un der all if and else con di tions?

Con di tion cov er age: Has ev ery log i cal test in the code been ex e cuted un der all sets of in puts?

Func tion cov er age: Has ev ery func tion in the code been called and re turned re sults?

Loop cov er age: Has ev ery loop in the code been ex e cuted un der con di tions that cause code ex e cu tion mul ti ple times, only once, and not at all?

State ment cov er age: Has ev ery line of code been ex e cuted dur ing the test?

Web site Mon i tor ing Se cu rity pro fes sion als also of ten be come in volved in the on go ing mon i tor ing of web sites for per for mance

man age ment, trou bleshoot ing, and the iden ti fi ca tion of po ten tial se cu rity is sues. This type of mon i tor ing comes in two dif fer ent forms.

Pas sive mon i tor ing an a lyzes ac tual net work traf fic sent to a web site by cap tur ing it as it trav els over the net work or reaches the server. This pro vides real-world mon i tor ing data that pro vides ad min is tra tors with in sight into what is ac tu ally hap pen ing on a net work. Real user mon i tor ing (RUM) is a vari ant of pas sive mon i tor ing where the mon i tor ing tool re assem bles the ac tiv ity of in di vid ual users to track their in ter ac tion with a web site.

Syn thetic mon i tor ing (or ac tive mon i tor ing) per forms ar ti fi cial trans ac tions against a web site to as sess per for mance. This may be as sim ple as re quest ing a page from the site to de ter mine the re sponse time, or it may ex e cute a com plex script de signed to iden tify the re sults of a trans ac tion.

These two tech niques are of ten used in con junc tion with each other be cause they achieve dif fer ent re sults. Pas sive mon i tor ing is only able to de tect is sues af ter they oc cur for a real user be cause it is mon i tor ing real user ac tiv ity. Pas sive mon i tor ing is par tic u larly use ful for trou bleshoot ing is sues iden ti fied by users be cause it al lows the cap ture of traf fic re lated to that is sue. Syn thetic mon i tor ing may miss is sues ex pe ri enced by real users if they are not in cluded in the test ing scripts, but it is ca pa ble of de tect ing is sues be fore they ac tu ally oc cur.

Im ple ment ing Se cu rity Man age ment Pro cesses In ad di tion to per form ing as sess ments and test ing, sound in for ma tion se cu rity pro grams also in clude a

va ri ety of man age ment pro cesses de signed to over see the ef fec tive op er a tion of the in for ma tion se cu rity pro gram. These pro cesses are a crit i cal feed back loop in the se cu rity as sess ment process be cause they pro vide man age ment over sight and have a de ter rent ef fect against the threat of in sider at tacks.

The se cu rity man age ment re views that fill this need in clude log re views, ac count man age ment, backup ver i fi ca tion, and key per for mance and risk in di ca tors. Each of these re views should fol low a stan dard ized process that in cludes man age ment ap proval at the com ple tion of the re view.

Log Re views In Chap ter 16, “Man ag ing Se cu rity Op er a tions,” you will learn the im por tance of stor ing log data and

con duct ing both au to mated and man ual log re views. Se cu rity in for ma tion and event man age ment (SIEM) pack ages play an im por tant role in these pro cesses, au tomat ing much of the rou tine work of log re view. These de vices col lect in for ma tion us ing the sys log func tion al ity present in many de vices, op er at ing sys tems, and ap pli ca tions. Some de vices, in clud ing Win dows sys tems, may re quire third-party clients to add sys log sup port. Ad min is tra tors may choose to de ploy log ging poli cies through Win dows Group Pol icy Ob jects (GPOs) and other mech a nisms that can de ploy and en force stan dard poli cies through out the or ga ni za tion.

471

Log ging sys tems should also make use of the Net work Time Pro to col (NTP) to en sure that clocks are syn chro nized on sys tems send ing log en tries to the SIEM as well as the SIEM it self. This en sures that in for ma tion from mul ti ple sources has a con sis tent time line.

In for ma tion se cu rity man agers should also pe ri od i cally con duct log re views, par tic u larly for sen si tive func tions, to en sure that priv i leged users are not abus ing their priv i leges. For ex am ple, if an in for ma tion se cu rity team has ac cess to eDis cov ery tools that al low search ing through the con tents of in di vid ual user files, se cu rity man agers should rou tinely re view the logs of ac tions taken by those ad min is tra tive users to en sure that their file ac cess re lates to le git i mate eDis cov ery ini tia tives and does not vi o late user pri vacy.

Net work flow (Net Flow) logs are par tic u larly use ful when in ves ti gat ing se cu rity in ci dents.

These logs pro vide records of the con nec tions be tween sys tems and the amount of data trans ferred.

Ac count Man age ment Ac count man age ment re views en sure that users only re tain au tho rized per mis sions and that unau tho rized

mod i fi ca tions do not oc cur. Ac count man age ment re views may be a func tion of in for ma tion se cu rity man age ment per son nel or in ter nal au di tors.

One way to per form ac count man age ment is to con duct a full re view of all ac counts. This is typ i cally done only for highly priv i leged ac counts be cause of the amount of time con sumed. The ex act process may vary from or ga ni za tion to or ga ni za tion, but here’s one ex am ple:

1. Man agers ask sys tem ad min is tra tors to pro vide a list of users with priv i leged ac cess and the priv i leged ac cess rights. They may mon i tor the ad min is tra tor as they re trieve this list to avoid tam per ing.

2. Man agers ask the priv i lege ap proval au thor ity to pro vide a list of au tho rized users and the priv i leges they should be as signed.

3. The man agers then com pare the two lists to en sure that only au tho rized users re tain ac cess to the sys tem and that the ac cess of each user does not ex ceed their au tho riza tion.

This process may in clude many other checks, such as ver i fy ing that ter mi nated users do not re tain ac cess to the sys tem, check ing the pa per trail for spe cific ac counts, or other tasks.

Or ga ni za tions that do not have time to con duct this thor ough process may use sam pling in stead. In this ap proach, man agers pull a ran dom sam ple of ac counts and per form a full ver i fi ca tion of the process used to grant per mis sions for those ac counts. If no sig nif i cant flaws are found in the sam ple, they make the as sump tion that this is rep re sen ta tive of the en tire pop u la tion.

Sam pling only works if it is ran dom! Don’t al low sys tem ad min is tra tors to gen er ate the

sam ple or use non ran dom cri te ria to se lect ac counts for re view, or you may miss en tire cat e gories of users where er rors may ex ist.

Or ga ni za tions may also au to mate por tions of their ac count re view process. Many iden tity and ac cess man age ment (IAM) ven dors pro vide ac count re view work flows that prompt ad min is tra tors to con duct re views, main tain doc u men ta tion for user ac counts, and pro vide an au dit trail demon strat ing the com ple tion of re views.

Backup Ver i fi ca tion

In Chap ter 18, “Dis as ter Re cov ery Plan ning,” you will learn the im por tance of main tain ing a con sis tent backup pro gram. Man agers should pe ri od i cally in spect the re sults of back ups to en sure that the process func tions ef fec tively and meets the or ga ni za tion’s data pro tec tion needs. This may in volve re view ing logs, in spect ing hash val ues, or re quest ing an ac tual re store of a sys tem or file.

Key Per for mance and Risk In di ca tors Se cu rity man agers should also mon i tor key per for mance and risk in di ca tors on an on go ing ba sis. The

ex act met rics they mon i tor will vary from or ga ni za tion to or ga ni za tion but may in clude the fol low ing:

Num ber of open vul ner a bil i ties

Time to re solve vul ner a bil i ties

Vul ner a bil ity/de fect re cur rence

472

Num ber of com pro mised ac counts

Num ber of soft ware flaws de tected in pre pro duc tion scan ning

Re peat au dit find ings

User at tempts to visit known ma li cious sites

Once an or ga ni za tion iden ti fies the key se cu rity met rics it wishes to track, man agers may want to de velop a dash board that clearly dis plays the val ues of these met rics over time and dis play it where both man agers and the se cu rity team will reg u larly see it.

Sum mary Se cu rity as sess ment and test ing pro grams play a crit i cal role in en sur ing that an or ga ni za tion’s se cu rity

con trols re main ef fec tive over time. Changes in busi ness op er a tions, the tech ni cal en vi ron ment, se cu rity risks, and user be hav ior may al ter the ef fec tive ness of con trols that pro tect the con fi den tial ity, in tegrity, and avail abil ity of in for ma tion as sets. As sess ment and test ing pro grams mon i tor those con trols and high light changes re quir ing ad min is tra tor in ter ven tion. Se cu rity pro fes sion als should care fully de sign their as sess ment and test ing pro gram and re vise it as busi ness needs change.

Se cu rity test ing tech niques in clude vul ner a bil ity as sess ments and soft ware test ing. With vul ner a bil ity as sess ments, se cu rity pro fes sion als per form a va ri ety of tests to iden tify mis con fig u ra tions and other se cu rity flaws in sys tems and ap pli ca tions. Net work dis cov ery tests iden tify sys tems on the net work with open ports. Net work vul ner a bil ity scans dis cover known se cu rity flaws on those sys tems. Web vul ner a bil ity scans probe the op er a tion of web ap pli ca tions search ing for known vul ner a bil i ties.

Soft ware plays a crit i cal role in any se cu rity in fra struc ture be cause it han dles sen si tive in for ma tion and in ter acts with crit i cal re sources. Or ga ni za tions should use a code re view process to al low peer val i da tion of code be fore mov ing it to pro duc tion. Rig or ous soft ware test ing pro grams also in clude the use of static test ing, dy namic test ing, in ter face test ing, and mis use case test ing to ro bustly eval u ate soft ware.

Se cu rity man age ment pro cesses in clude log re views, ac count man age ment, backup ver i fi ca tion, and track ing of key per for mance and risk in di ca tors. These pro cesses help se cu rity man agers val i date the on go ing ef fec tive ness of the in for ma tion se cu rity pro gram. They are com ple mented by for mal in ter nal and ex ter nal au dits per formed by third par ties on a less fre quent ba sis.

Exam Es sen tials Un der stand the im por tance of se cu rity as sess ment and test ing pro grams. Se cu rity as sess ment

and test ing pro grams pro vide an im por tant mech a nism for val i dat ing the on go ing ef fec tive ness of se cu rity con trols. They in clude a va ri ety of tools, in clud ing vul ner a bil ity as sess ments, pen e tra tion tests, soft ware test ing, au dits, and se cu rity man age ment tasks de signed to val i date con trols. Ev ery or ga ni za tion should have a se cu rity as sess ment and test ing pro gram de fined and op er a tional.

Con duct vul ner a bil ity as sess ments and pen e tra tion tests. Vul ner a bil ity as sess ments use au to mated tools to search for known vul ner a bil i ties in sys tems, ap pli ca tions, and net works. These flaws may in clude miss ing patches, mis con fig u ra tions, or faulty code that ex pose the or ga ni za tion to se cu rity risks. Pen e tra tion tests also use these same tools but sup ple ment them with at tack tech niques where an as ses sor at tempts to ex ploit vul ner a bil i ties and gain ac cess to the sys tem.

Per form soft ware test ing to val i date code mov ing into pro duc tion. Soft ware test ing tech niques ver ify that code func tions as de signed and does not con tain se cu rity flaws. Code re view uses a peer re view process to for mally or in for mally val i date code be fore de ploy ing it in pro duc tion. In ter face test ing as sesses the in ter ac tions be tween com po nents and users with API test ing, user in ter face test ing, and phys i cal in ter face test ing.

Un der stand the dif fer ence be tween static and dy namic soft ware test ing. Static soft ware test ing tech niques, such as code re views, eval u ate the se cu rity of soft ware with out run ning it by an a lyz ing ei ther the source code or the com piled ap pli ca tion. Dy namic test ing eval u ates the se cu rity of soft ware in a run time en vi ron ment and is of ten the only op tion for or ga ni za tions de ploy ing ap pli ca tions writ ten by some one else.

Ex plain the con cept of fuzzing. Fuzzing uses mod i fied in puts to test soft ware per for mance un der un ex pected cir cum stances. Mu ta tion fuzzing mod i fies known in puts to gen er ate syn thetic in puts that may trig ger un ex pected be hav ior. Gen er a tional fuzzing de vel ops in puts based on mod els of ex pected in puts to per form the same task.

Per form se cu rity man age ment tasks to pro vide over sight to the in for ma tion se cu rity pro gram. Se cu rity man agers must per form a va ri ety of ac tiv i ties to re tain proper over sight of the in for ma tion se cu rity pro gram. Log re views, par tic u larly for ad min is tra tor ac tiv i ties, en sure that sys tems are not mis used. Ac count man age ment re views en sure that only au tho rized users re tain ac cess to in for ma tion